Court Dismissed Another Data Breach Suit

Another Court has held that plaintiff’s cannot recover for a breach of their sensitive data, absent a clear financial injury resulting directly from the breach.

On July 12, 2012, the U.S. District Court for the Western District of Kentucky dismissed a data breach lawsuit against various Countrywide Financial Corporation entities, now owned by Bank of America. See Holmes v. Countrywide Fin. Corp., No. 08-cv-00205-R, 2012 WL 2873892 (W.D. Ky. July 12, 2012).

The Holmes plaintiffs were four individuals who had objected to and opted out of a class action settlement, which was approved in August 2010. See In re Countrywide Fin. Corp. Customer Data Security Breach Litigation, No. 08-MD-01998, 2010 WL 3341200 (W.D. Ky. Aug. 23, 2010).

The underlying class action sought damages for a Countrywide employee’s theft of sensitive personal and financial information on 2.4 million Countrywide customers, which information was later sold to third parties. The Holmes plaintiffs, however, did not suffer any actual identity theft.

The Holmes plaintiffs alleged that they suffered injury from the data theft because they were forced to take measures to protect themselves from identity theft, such as enrolling in independent credit monitoring service (despite being offered free monitoring by Countrywide) and spending time researching identity theft; and forced to cancel their telephone service after being inundated with telemarketing calls. Plaintiffs, in essence, sought to recover based on a risk of future identity theft.

Although the Court found that the plaintiffs alleged injuries sufficient to confer Article III standing under Sixth Circuit precedent, the Court found that the plaintiffs’ allegations did not suffice to state a viable claim of damages under Kentucky and New Jersey law.

Despite concluding that the plaintiffs lacked a cognizable injury, the Court proceeded to address the merits of Plaintiffs’ claims, and it is worth noting the Court’s position on Plaintiff’s numerous theories of liability:

• Unjust enrichment: The plaintiffs claimed that Countrywide was unjustly enriched by the fees paid to them throughout the terms of their relationships because the payments were based on the implicit understanding that Countrywide would safeguard the plaintiffs’ data. The court rejected this claim under a fundamental principle of contract law that a party cannot recover on a quasi-contractual theory such as unjust enrichment when an express contract covers the subject matter of the parties’ dispute.

• Common law fraud: The plaintiffs alleged fraud claims under Kentucky and New Jersey law, alleging material misrepresentations regarding the storage of their personal information and the severity of the data breach. The Court rejected this claim because a fraud claim requires a reliance on a material misrepresentation resulting in harm; the court noted that the plaintiffs’ only damages were self-inflicted (i.e., monies paid for credit monitoring).

• Breach of contract and covenants of good faith and fair dealing: The plaintiffs alleged that Countrywide agreed to but failed to safeguard the plaintiffs’ personal information and failed to mitigate damages. The court dismissed these claims based on a lack of actual damages.

• New Jersey security breach notification laws: The court dismissed this claim because the law lacks a private right of action.

• Kentucky and New Jersey consumer fraud laws: The court dismissed these claims because the plaintiffs failed to sufficiently allege an ascertainable loss.

• Fair Credit Reporting Act: The Court dismissed this claim because, even if Countywide was a “consumer reporting agency” under FCRA, it had no liability because it did not “furnish” any information to third parties in violation of the statute. The court was unwilling to construe the theft of data from Countrywide as a situation in which Countrywide provided the data to third parties.

•Conspiracy: Although Kentucky and New Jersey recognize claims for civil conspiracy, both states require an actionable underlying tort. Because the plaintiffs failed to state any such claim, the Court dismissed this count as well.

The Holmes decision further underscores plaintiffs’ difficulties in securing any recovery on a data breach lawsuit absent actual identity theft. However, the lengthy history of this case—dating back to 2008 and including a challenge to a Court approved settlement —highlights that such cases are often protracted and may be costly to defend.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.